Cyber Resilience

CVE-2024-26153

Medium

Published: 17 January 2025

Published
17 January 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 37.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26153 is a medium-severity CSRF (CWE-352) vulnerability in Etictelecom Remote Access Server Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-26153 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting all versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19. The issue stems from the "setconf" method request lacking any CSRF token requirement, allowing forged requests to be processed.

An external attacker requires no access or privileges on the device (PR:N) and can exploit this over the network (AV:N) with low complexity (AC:L), but it demands user interaction (UI:R). By tricking an authenticated end user into submitting the forged request—such as via a malicious webpage—the attacker achieves a denial of service (A:H) on the device, with a changed scope (S:C) and no impact on confidentiality or integrity (C:N/I:N). The CVSS v3.1 base score is 7.4.

The CISA ICS Advisory ICSA-22-307-01 provides further details on this vulnerability at https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01. Updating to ETIC Telecom RAS version 4.9.19 or later addresses the issue.

EU & UK References

Vulnerability details

All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19 are vulnerable to cross-site request forgery (CSRF). An external attacker with no access to the device can force the end user into submitting a "setconf" method request, not…

more

requiring any CSRF token, which can lead into denial of service on the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF in public-facing RAS web interface directly enables exploitation via T1190; delivery requires malicious link tricking authenticated user (T1204.001) to trigger DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-26155Same product: Etictelecom Remote Access Server Firmware
CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2026-23622Shared CWE-352

Affected Assets

etictelecom
remote access server firmware
≤ 4.9.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 directly protects against CSRF attacks by requiring mechanisms such as unique session tokens to validate the authenticity of state-changing requests like the vulnerable 'setconf' method.

prevent

SI-10 mandates validation of information inputs, including CSRF tokens on the 'setconf' endpoint, to reject forged requests from external attackers.

prevent

AC-3 enforces access control policies that can incorporate CSRF token checks to prevent unauthorized execution of the 'setconf' method via user interaction tricks.

References